Getting around the China firewall on the iPhone.

Lately I have been traveling a bit to Beijing, China to do some Open Source trainings. Before I went here the first time I installed a OpenVPN and tinyproxy on my QNAP (running debian) at home. This allowed me to bypass the restrictions of the Chinese internet connection and access sites like facebook, arstechnica and twitter. It worked great for my laptop, but I could not get it to work on my iPhone without jailbreaking it. Since I didn’t want to do that I looked at the built-in VPN functionality of the iPhone to see if I could utilize that together with tinyproxy to provide a work-around.

The iPhone supports two different VPN protocols. L2TP and PPPoE. I quickly dismissed L2TP for my usage since it requires a full IPSEC stack and it didn’t seem trivial at first glance. PPPoE on the other hand seemed quite easy to install and configure. Note that L2TP probably is the better and more secure alternative of the both, but it seemed like a huge overkill to me, I just wanted to access some websites with my phone and it’s not that of a big secret.

Instead of configuring the iPhone for direct NAT access from the VPN I wanted to use the same tinyproxy that I used for my laptop, but it didn’t work well at all. I often got reset messages or it stopped loading the page in the middle, etc etc. I tried to some basic troubleshooting, making sure that the VPN tunnel worked fine and soon it was evident that the iPhone didn’t play well with tinyproxy.

The solution was to use Polipo (http://www.pps.jussieu.fr/~jch/software/polipo/), Polipo has the added benefit that it can cache webpages as well. I can really recommend the solution of PPTP + Polipo if you need to work-around firewalls or similar blocking behavior, it also good to use this solution when you are on a open WIFI network, so that people are not sniffing your credentials.

Next up is to try to figure out how to configure proxy-autodetect for both iPhone and the mac so that I don’t have to use manual settings when I connect to the VPN. But that seems to be a can of worms…